Thousands of Microsoft Exchange servers are still vulnerable to this dangerous flaw

Security attack
(Image credit: Shutterstock / ozrimoz)

Tens of thousands of Microsoft Exchange servers are still vulnerable to a high-severity flaw used in ProxyNotShell exploits, researchers have warned.

Cybersecurity researchers Shadowserver Foundation said almost 70,000 IPs were vulnerable to CVE-2022-41082, a remote code execution (RCE) vulnerability patched in early November last year.

At press time, Shadowserver’s data are showing at least 57,000 vulnerable IPs, although the information comes with a disclaimer that results were “calculated by summing counts of unique IPs, which means that a “unique” IP may have been counted more than once”. 

Mitigations and patches

“Any figures should be treated as indicative rather than exact,” Shadowserver said - however declining figures could be an indication of a positive trend. 

There are two high-severity vulnerabilities that were dubbed ProxyNotShell - the abovementioned CVE-2022-41082, and CVE-2022-41040, an elevation of privilege flaw that was also patched in early November. The affected endpoints include Exchange Server 2013, 2016, and 2019.

While there are mitigations available, researchers are urging IT pros to apply the patch instead, as the mitigations can be worked around. One report from BleepingComputer saw ransomware operators using a newly-discovered exploit chain to bypass certain ProxyNotShell mitigations and execute malicious code remotely on target devices. 

Exchange servers are valuable to hackers, and as such are often targeted. For example, the infamous LockBit group was recently caught deploying malware via compromised Exchange Servers. Last summer, two servers belonging to one company were infected with LockBit 3.0. As per the report, the attackers first deployed web shell, then escalated privileges to Active Directory admin a week later, stole some 1.3 TB of data, and encrypted systems hosted on the network.

Late last year, researchers uncovered a malicious campaign attempting to exploit the already-fixed ProxyShell vulnerability in Microsoft Exchange, too. 

Via: BleepingComputer

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
Flag of the People's Republic of China overlaid with a technological network of wires and circuits.
One of the biggest flaws exploited by Salt Typhoon hackers has had a patch available for years
A person at a laptop with a cybersecure lock symbol floating above it.
Hackers are still using old Ivanti bugs to break into networks
An illustration of a hand holding a set of keys in front of a laptop, accompanied by a padlock symbol, fingerprint, and key.
Thousands of SonicWall VPN devices are facing worrying security threats
A VPN runs on a mobile phone placed on a laptop keyboard
SonicWall firewalls hit by worrying cyberattack
Best free Linux firewalls
Fortinet warns a critical vulnerability in its systems could let attackers breach company networks
Representational image depecting cybersecurity protection
Hackers are breaking SonicWall products to target business networks
Latest in Security
A graphic showing someone on a tablet working through a supply chain.
Security issue in open source software leaves businesses concerned for systems
ransomware avast
One of the most powerful ransomware hacks around has been cracked using some serious GPU power
person at a computer
Infamous ransomware hackers reveal new tool to brute-force VPNs
person at a computer
Many workers are overconfident at spotting phishing attacks
A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
Microsoft 365 accounts are under attack from new malware spoofing popular work apps
Data Breach
Thousands of healthcare records exposed online, including private patient information
Latest in News
Pebble smartwatch countdown
Pebble confirms its smartwatch announcement is just hours away
Logo of YouTube Shorts
Is YouTube auto-playing Shorts when you open the app? Well, you’re not alone - here’s how to fix it
Google DeepMind panel discussion
“More sovereignty and protection” - Google goes all-in on UK AI with data residency, upskilling projects, and startup investments
Nintendo Switch 2
Nintendo Switch 2 expected to have AI upscaling and I can't wait to finally play Tears of the Kingdom with upgraded graphics
PowerColor Red Devil AMD RX 9070 XT graphics card shown side-on
Your next GPU could be from AMD, not Nvidia, if Team Red’s success with PC gamers continues
Intel Lunar Lake concept
Intel's Panther Lake processors won't arrive until Q1 2026 - corroborates previous delay rumors despite former Intel CEO's promise of 2025 launch